I believe real time alert will not be possible using EPO built in feature.
Best bet is to use SIEM solution.
I'm not aware of such opportunities ePO. Why are You so interested in this issue? Key bypass DLP can generate only the administrator and not the user. However, I this function is not like milked until the time of the crawl, DLP does not control the employee. It is very dangerous. I'm testing another option: make 2 identical policy: 1 - block, 2 - monitor. Then at the request of the user is switched from mode 1 to mode 2.
Sometimes our helpdesk guys needs to generate temporary bypass, and I would like to get an alert/message when this happen, in order to be sure that bypass codes are always generated for business reasons.
I can't believe there is not a way to do it, even making a query and sending it by email or something like that.
are you looking to generate the alert real time or periodically?
Periodically is indeed possible.
Create a query for epo audit log and set the " generate ... " as the filter.
set a server task to email you on daily basis and you are set.
If I'm not wrong then you can use Automatic response feature available on ePO server.
>> Create a new response in Automatic response page.
>> Select Event group: ePO notification events
Event type: Client
>> Under the "Filter" column, Add the below event IDs with logical 'AND" function (add only the IDs).
19102: Agent Enters Bypass Mode (Info)
19103: Agent Leaves Bypass Mode (Info)
19131: Agent Uninstall Key Generated (Info)
>> Proceed to further configurations to trigger the response and to get email notification. (above scenario is untested, you can test it in your lab environment)
Email server need to configure on the ePO server to get the email notification.
Once ePO receives events from the client machine, It will trigger an email. (This settings is not applicable for offline machines).
For more info, Please refer the ePO product guide under automatic response section.
That is to send alert when agent went into the mentioned mode [== when the key is used]
It does not necessarily indicate when the key itself is generated .
You can test it with those event ids.
Did this work?